Data: sorting the truth from the lies

Myth 1: UK law says I can’t transfer my data outside the UKTruth: Wrong. You can transfer within the EEA, to any country on the EU Commission’s adequacy list and to other countries with appropriate safeguards, such as the EU/US Privacy Shield.

Myth 2: German law says I can’t transfer my data outside GermanyTruth: Wrong. This article explains that and other German law myths: Dispelling German Data Myths.

Myth 3: If I use a server in India but access the data stored on it from the UK, that’s not a transferTruth: Wrong. That is a transfer of data and must comply with the Data Protection Act.

Myth 4: It’s cheaper to pay a data breach fine than implement proper data securityTruth: Actually, that’s probably true until next year. The ICO fined TalkTalk £400,000 for its data breach. The maximum could have been £500,000. If the new GDPR had been enforced in the UK, that fine could have been up to £70,000,000. So, from May 2018 (when GDPR becomes enforceable), it will probably be cheaper to avoid a fine.

Myth 5: My cloud provider contracts on standard terms and therefore dictates the data terms. That means they’re the controller not me, so they’ll be fined, not meTruth: Wrong, you’re still the controller and you need to check the terms and make sure they will protect the data properly. You could be fined and you’ll probably find your cloud provider has excluded all liability.

Myth 6: GDPR won’t change anythingTruth: Wrong. Apart from the massive new fines, it introduces a number of changes including more rights for individuals. Read my article for more info.

Myth 7: GDPR won’t apply in the UK because of BrexitTruth: Wrong, GDPR becomes enforceable in May 2018. The UK will still be in the EU then so GDPR will apply.

Myth 8: Upon Brexit, GDPR is a form of EU red tape that will be abolishedTruth: Unlikely. The Great Repeal Bill – which will take the UK out of the EU – will likely curtail freedom of movement of people, not data.

Myth 9: UK compliance to GDPR will be unaffected by BrexitTruth: Brexit will likely take the UK outside the EEA. If the EU Commission decides that the UK Investigatory Powers Act is too broad, the UK will need it’s own Privacy Shield.

Myth 10: GDPR means I have to appoint a Data Protection OfficerTruth: Yes, if you’re a public sector organisation or you regularly and systematically monitor data on a large scale. Otherwise, no, you don’t need a dedicated DPO. You should still appoint someone with responsibility for data compliance though to avoid those nasty fines.

Myth 12: I’ve been doing business for 25 years. I don’t need you to tell me about DPA and contracts.Truth: You’re probably right. With massive data breach fines on the way and other changes under GDPR, you’re probably already updating your contracts to reduce your new risks.